How to Fail A Penetration Test
This presentation is the property of its rightful owner.
Sponsored Links
1 / 24

Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA PowerPoint PPT Presentation


  • 76 Views
  • Uploaded on
  • Presentation posted in: General

How to Fail A Penetration Test Concepts in Securing a Network. Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA . Background. Sogeti USA Sogeti USA LLC, part of the Sogeti Group, provides information technology services to businesses and public sector organizations.

Download Presentation

Scott Teeters, Jr. MicroSolved, Inc. in partnership with Sogeti USA

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Scott teeters jr microsolved inc in partnership with sogeti usa

How to Fail A Penetration Test

Concepts in Securing a Network

Scott Teeters, Jr.

MicroSolved, Inc.

in partnership with

Sogeti USA


Background

Background

  • Sogeti USA

    • Sogeti USA LLC, part of the Sogeti Group, provides information technology services to businesses and public sector organizations.

  • MicroSolved,Inc.

    • MicroSolved, Inc. provides information security services and consulting to Sogeti USA customers.

http://www.secureassure.com


Today s agenda

Today’s Agenda

  • Common issues that cause an organization to fail penetration tests

  • Some suggestions on how an organization may improve their security posture

http://www.secureassure.com


Scott teeters jr microsolved inc in partnership with sogeti usa

Note:

All ideas mentioned in this presentation also apply to any wireless or modem (dialup) systems as well.

http://www.secureassure.com


Policy issues

>Policy Issues

http://www.secureassure.com


Problems with policies and processes

Problems with Policies and Processes

  • Inconsistent application of policies throughout the organization

  • Poorly designed policies and standards

  • Example: Password are not required for all forms of network and application access

http://www.secureassure.com


Proper use of policies and processes

Proper Use Of Policies and Processes

  • Policies and Processes are developed in accordance with industry standard best practices, and/or an appropriate regulatory guideline

  • Policies are broad enough to establish the expected behavior in the user population

  • Policies are consistently applied across the organization

http://www.secureassure.com


Example

Example:

  • A proper password policy

    • Passwords are required for all forms of network and application access

    • Password strength is mandated to meet a specific level (IE: 7 Chars, Alpha-Num, w/special characters and mixed case)

    • Password rotation is large enough to prevent password reuse issues

    • Administrative/root access is strongly protected, requiring a token

http://www.secureassure.com


Another policy issue

Another Policy Issue:

  • Poor Domain Trust Choices

    Who trusts who?

    • Weak trust structure

      • Types of trust

      • Some domains have less security than others

http://www.secureassure.com


Example1

Example:

  • Good Domain Trust Choices

    Who trusts who?

    • Unidirectional trust

      • Allows work to be done

      • Protects Production domain

http://www.secureassure.com


Process issues

Process Issues:

  • Information Leakage Problems

    Who’s saying what?

    • Example of Usenet leakage

      "Gary Smith" <Gary [email protected]> wrote in message news:[email protected]..

      I have a data communication application that uses TAPI 2.x for doing async modem protocols. This application has been in use for three years. I have discovered a problem, and can recreate it where data is lost somewhere between the modem and my application but it only happens on Windows 2000 machines. If I run it on a Windows NT 4.0 machine, it works fine...

http://www.secureassure.com


Process solution

Process Solution:

  • Combating Information Leakage

    Who’s saying what?

    • Have technical staff members use email and Usenet posting addresses not associated with the organization

    • Make sure users know not to post corporate identifiers online

    • Monitor the Internet for information leakage problems and address them ASAP

http://www.secureassure.com


Problems with patching

>Problems with Patching

http://www.secureassure.com


Poor patch management

Poor Patch Management

  • Systems are not current on patches/hotfixes

  • Patches are not consistently applied throughout the organization

  • Patches are more than security, they also may provide:

    • Stability

    • New Features

    • New Ways to Prevent Illicit Access

  • Patch problems can hurt you!

http://www.secureassure.com


Patching details matter

Patching Details Matter

  • Sometimes, patches have to be applied in a specific order or manner

    • Failing to do so, may actually INCREASE your vulnerability!

http://www.secureassure.com


Proper patch management

Proper Patch Management

  • Patch levels are monitored on a regular basis using manual processes or automated vulnerability assessments

  • Patches are tested in a isolated environment before being applied to production systems and devices

  • Patches apply to operating systems, applications and even hardware devices

  • Policies and standards clearly define the mechanisms and frameworks for acquiring, testing and deploying patches, fixes and version upgrades

http://www.secureassure.com


Configuration downfalls

>Configuration Downfalls

http://www.secureassure.com


Configuration issues

Configuration Issues

  • Poorly configured perimeter implementations

    • Example: Firewall rules are not granular or allow too much access

  • Internal network does not meet industry standard best practices

    • Example: Unnecessary services offer footholds for attackers

  • Systems are not adequately hardened

    • Example: Access controls allow easy access to confidential data

http://www.secureassure.com


Proper perimeters

Proper Perimeters

  • Access controls systems (ie: firewalls, router, etc.) start with a deny all attitude

  • Services are added with specific granularity as required for business

  • Internet visible systems are physically and logically segregated from production networks

  • Intrusion detection tools allow for easy anomaly and danger identification

  • Systems are carefully monitored via log files or agents using a manual or automated process

  • Alternate forms of access (ie: remote management, VPN, RAS, etc.) terminate in a DMZ or segregated segment

http://www.secureassure.com


Proper network configuration

Proper Network Configuration

  • Domain trusts are properly applied and implemented

  • Unneeded services are not running on network connected systems and devices

  • Proper egress controls assist in preventing malware spreading and attacks against other networks

  • IDS is deployed to assist with problem detection and troubleshooting

  • The network is monitored for changes in performance and traffic levels which could indicate a security or other type of issue

http://www.secureassure.com


Proper system configuration

Proper System Configuration

  • Systems are hardened in accordance with a baseline

    • Examples: SANS configurations, CIS baselines

  • Systems are up to date on patches and fixes

  • Unneeded services have been disabled

  • All systems use anti-virus software with regular automatic updates

  • Personal firewalls are deployed where appropriate, at a minimum on all laptops and notebooks

  • Access controls have been appropriately applied to each device and its file system

  • Users are aware of existing policies and guidelines

http://www.secureassure.com


Keeping it all together

Keeping it All Together

  • You have a complex environment

  • Not all users will behave as expected

  • Patches and fixes come fast and furious

  • How do you keep all these variables under control?

    REGULAR ASSESSMENT & MONITORING

http://www.secureassure.com


How to fail a penetration test

Implement poor policies and processes

No policies and processes also count!

Mismanage patches and fixes

Misconfigure your perimeter, network and/or systems

Take a number, attackers will be right with you…

How To Fail A Penetration Test

http://www.secureassure.com


Scott teeters jr microsolved inc in partnership with sogeti usa

Thank You

Sogeti USA

http://www.sogeti-usa.com

Chris Rice

[email protected]

Or

Scott Teeters

[email protected]

more information


  • Login